The problem at the moment is that the Linux firewall has to have it's NICs on different subnets( external(ia dhcp from border router on 192.168.1.*) and it's internal on 192.168.2.*). I can, with the current border router, change the subnetmask to 255.255.0.0 so that it doesn't "mind" dealing with addresses on the two different subnets. However i can't add a route to the internal LAN(192.168.2.*).So the border router only knows that the linux firewall is reached at 192.168.1.*. And there's no way, on this border router, to add a route to 192.168.2.*. So i can't ping the border router from my ubuntu hosts on the LAN. I can ping the linux firewall's internal and external interfaces from the ubuntu hosts on the LAN. But i can't ping the border router from the LAN because it doesn't know how to get to 192.168.2.*.
I need to replace the border router, which is just a home router, with a machine that has all the usual capabilities of a home router/ADSL box AND the capability to add routes to other subnets. IIt needs firewalling capabilities because plugged into the switch(coming out of the ADSL box), in the diagram, are 2 Ubuntu servers. It would also be good if it could do things like changing the subnet mask. As flexible as possible.I'm willing to spend a fair bit i.e less than 200 pounds. Off the top of your heads is there any router that you could recommend that is good for a fully UNIX network involving different subnets that could replace a home router.
Or do i need a router that you can install a special Linux on? And if so are there any recommended?.
Thank you so much for your time and any replies. Fare ye well.

you can lead a horse to water but you can't climb a ladder with a bell in both hands

That's what i tried(putting firewall in ADSL's DMZ)originally. The ADSL/router just seemed do it a bit unpredictably and i decided on the sometimes called "screened subnet architecture". I will try that again though(with the ADSL's DMZ).If i have a problem with this i'll probably post to here again.Thank you very much for your speedy replies. That's great. This seems like a great forum.

you can lead a horse to water but you can't climb a ladder with a bell in both hands

I've tried putting the dedicated firewall in the ADSL/border router's DMZ. The ADSL/border router won't let this happen. It won't recognise that the dedicated firewall is part of the network and so give it to me as one of the optional hosts to put in it's DMZ. So i decided to go with the original plan but buy a new ADSL/border router that runs dd wrt. I'm just wondering will it have all the necessary configuration options to replace the ADSL/border router that my I.S.P gave me?. The router i'm replacing the I.S.P's router with is a "buffalo technologies Nfiniti Wireless-N High Power Router & Access Point WZR-HP-G300NH"
.So i'm very much hoping that with this and an ADSL modem i'll be able to build whatever network i want at home being as though said router does come preloaded with dd wrt. I just thought i'd check here before i bought it.
Thank you for any replies

you can lead a horse to water but you can't climb a ladder with a bell in both hands

btw i'm only asking in case you had a general opinion about replacing ones given I.S.P's router or if you'd heard anything about these routers. I don't realistically expect you to go away and find out through research what i couldn't find out with google.

you can lead a horse to water but you can't climb a ladder with a bell in both hands

Sorry we were talking at cross purposes. I meant a dedicated firewall that is a Linux/BSD box with 3 NICs.One NIC is plugged into the ADSL/border router(and in it's DMZ) the other two NICs are plugged into a LAN and a DMZ.

you can lead a horse to water but you can't climb a ladder with a bell in both hands

kimcarsons wrote:Sorry we were talking at cross purposes. I meant a dedicated firewall that is a Linux/BSD box with 3 NICs.One NIC is plugged into the ADSL/border router(and in it's DMZ) the other two NICs are plugged into a LAN and a DMZ.

if you plug your firewall in the DMZ then you are bypassing the DMZ which is illogical, the whole point of the DMZ is to eliminate any possibility of your private network being touched by the interweb. If the machine on the DMZ is accessible from the outside then you can obviously get at it

Last edited by towy71 on Tue Jan 25, 2011 10:58 pm, edited 1 time in total.

yes, well i thought i could put the dedicated firewall(Linux/BSD box) in the ADSL/border router's DMZ. Then the dedicated firewall(Linux/BSD box) could do N.A.T and dhcp and be a firewall for servers, which would be hanging off one of it's NICs, and a LAN, which would be hanging off the other NIC.
What's wrong with that?. The servers wouldn't be in the dedicated firewall's DMZ. The dedicated firewall's external NIC would be in the ADSL/border router's DMZ. Any other clients in the house(that are other people's would just use the ADSL/border router in the normal way and have nothing to do with my set up).

you can lead a horse to water but you can't climb a ladder with a bell in both hands

It sounds unnecessarily complicated, why not just connect the firewall to one of the modem/router's LAN ports, effectively using it only as a modem. Then your firewall/router box could take care of everything else.

Remember, the more complex and difficult to understand a firewall setup is, the more likely it is to work incorrectly.

"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)

I can, with the current border router, change the subnet mask to 255.255.0.0 so that it doesn't "mind" dealing with addresses on the two different subnets.

With a mask of 255.255.0.0 or /16 they are both in the same subnet as are all 192.168.x.x addresses That alone will prevent any routing as you can only route between different subnets.

There is nothing complex about your setup it is standard for an internet facing DMZ and an internal NAT-ed lan.

To make this work you need to change the masks to 192.168.x.x 255.255.255.0 or /24

The firewall will need a default route which would be ip route 0.0.0.0 0.0.0.0 192.168.1.1 assuming you routers address is 192.168.1.1 /24 and you will need to be nating on it,s 192.168.1.x /24 address

If you need to be able to get from the 192.168.1.1 lan to the 192.168.2.1 lan you will need to put a static route pointing at the ip address of the firewall in your router.

The firewalls 192.168.2.x address needs to be the default gateway for the 192.168.2.0 /24 lan and the firewalls default gateway needs to be the routers ethernet port 192.168.1.1 /24

As your ip space is private the firewall is not doing anything useful as the 192.168.0.0 /16 is not publically routable ip space( see rfc1918).

Even if some isp was dumb enough to advertise it into BGP most of the isp's in the world filter it out.Even if they did not there are millions of 192.168.1.0 /24 networks so the cant easly conect.
They would need a trojan to connect out and that is a tad difficult in linux but maybe not impossible.